AWS Security ChangesHomeSearch

AWS IAM high security documentation change

Service: IAM · 2025-05-16 · Security-related high

File: IAM/latest/UserGuide/cloudtrail-integration.md

Summary

Updated CloudTrail logging behavior to specify that `secretAccessKey` is excluded from `responseElements` in STS AssumeRole* API logs

Security assessment

The change explicitly redacts `secretAccessKey` from CloudTrail logs for STS AssumeRole APIs. This prevents sensitive credential exposure in logs, directly addressing a security risk of potential credential leakage. The modification provides concrete evidence of security hardening.

Diff

diff --git a/IAM/latest/UserGuide/cloudtrail-integration.md b/IAM/latest/UserGuide/cloudtrail-integration.md
index fc05e18ff..4c1eac107 100644
--- a//IAM/latest/UserGuide/cloudtrail-integration.md
+++ b//IAM/latest/UserGuide/cloudtrail-integration.md
@@ -110 +110 @@ Externally authenticated user | AssumeRoleWithWebIdentity | n/a | OIDC/Web user
-CloudTrail considers an action read-only if it does not have any mutating effect on a resource. When logging a read-only event, CloudTrail redacts the `responseElements` information in the log. When CloudTrail logs an event that is not read-only, the full `responseElements` is shown in the log entry. However, for the AWS STS APIs `AssumeRole`, `AssumeRoleWithSAML`, and `AssumeRoleWithWebIdentity`, even though they are logged as read-only, CloudTrail will include the full `responseElements` in the log for these APIs.
+CloudTrail considers an action read-only if it does not have any mutating effect on a resource. When logging a read-only event, CloudTrail redacts the `responseElements` information in the log. When CloudTrail logs an event that is not read-only, the full `responseElements` is shown in the log entry. For the AWS STS APIs `AssumeRole`, `AssumeRoleWithSAML`, and `AssumeRoleWithWebIdentity`, even though they are logged as read-only, CloudTrail will include the full `responseElements` except `secretAccessKey` in the log for these APIs.